A local firewall for AI-agent actions.
HELM sits between Claude Code, Codex, MCP tools, shell commands, and other agent
actions. It decides ALLOW, DENY, or ESCALATE, then writes a signed receipt
you can verify later.
brew tap mindburn-labs/tap
brew trust mindburn-labs/tap # recent Homebrew requires trusting third-party taps
brew install helm-ai-kernel
helm-ai-kernel setup claude-code --yes
# Codex: helm-ai-kernel setup codex --yesAsk your agent to do something risky. HELM blocks or escalates the action before it runs, then records the decision.
helm-ai-kernel workstation verify-decision \
--receipt ~/.helm-ai-kernel/receipts/hooks/<decision>.jsonNo cloud account. No model key. No Docker. No production credentials.
| Agent tries to... | HELM does this | Proof |
|---|---|---|
| Run a destructive shell command | DENY |
signed receipt |
| Use an unknown MCP tool | ESCALATE |
quarantine record |
| Read protected secrets | DENY |
fail-closed receipt |
| Run approved work | ALLOW |
receipt + evidence |
| Export a review bundle | verify offline | EvidencePack |
HELM only governs effects that reach its boundary. For example, evals showed network egress blocks firing when an agent actually dispatched a LAN or non-allowlisted HTTPS request. Prompt-only manipulation, model refusal, or an agent that never attempts the tool call needs model, app, and sandbox controls alongside HELM.
Agent asks: delete the production database
HELM sees: protected data + irreversible action
HELM says: DENY
You get: a signed receipt you can verify offline
| Need | Link |
|---|---|
| 5-minute local proof | Quickstart |
| End-to-end proof loop | HELM Proof Loop |
| Local AI-agent risk audit | Agent Risk Scan |
| CLI commands | CLI reference |
| Security model | Execution security model |
| MCP tool quarantine | MCP integration |
| Client implementation handoff | Implementation partner handoff |
| Evidence verification | Verification |
| AI security category map | AI Security Categories |
- Not Kubernetes Helm.
- Not the hosted HELM Enterprise product.
- Not HELM Company Builder, Company OS, or HELM Network. Those are target commercial experiences around this boundary, not Kernel features or evidence that they are generally available.
- Not an app generator, foundation model, social network, bank, escrow service, payment rail, or general ledger. Users may build with any compatible external tool and route consequential actions through this boundary.
- Not a vague AI-safety claim.
It is the open-source execution boundary: policy in, action checked, receipt out.
The open-source kernel is the complete boundary, not a trial:
- The local execution boundary — verdicts, signed receipts, offline verification — is free forever.
- Bring your own keys: BYOK and self-hosting are never paywalled.
- The commercial products are the organizational layer around the boundary (hosted retention, team control plane, certification) — never the boundary itself.
Contributions are Apache-2.0 with a DCO (CONTRIBUTING.md); name and logo use is covered by TRADEMARK.md.
git clone https://github.com/Mindburn-Labs/helm-ai-kernel.git
cd helm-ai-kernel
make build
bin/helm-ai-kernel setup claude-code --yes| Release target | SDK pointers after publication |
|---|---|
v0.7.2 |
github.com/Mindburn-Labs/helm-ai-kernel/sdk/go@v0.7.2 |
v0.7.2 |
io.github.mindburnlabs:helm-sdk:0.7.2 |
Apache-2.0. See LICENSE, SECURITY.md, and CONTRIBUTING.md.
Examples are illustrative. HELM is the execution boundary, not the agent, orchestrator, cloud control plane, or observability tool.
| Category | Examples | What They Do | Where They Stop | HELM AI Kernel |
|---|---|---|---|---|
| Agent permission modes | Claude Code Auto Mode | Let agents work faster with fewer prompts. | Permission automation is not execution governance. | HELM makes every governed action produce a verdict and proof. |
| Model-vendor agents | OpenAI Agents, ChatGPT Agent, Claude agents | Provide agent runtimes, tools, guardrails, and HITL flows. | They are tied to their own agent stack and do not create neutral execution evidence. | HELM is model-neutral: any agent can route actions through the same boundary. |
| Coding agents | GitHub Copilot, Devin, Cursor, Replit Agent | Write, edit, test, and ship code faster. | They optimize developer productivity, not cross-runtime authority. | HELM governs what the agent is allowed to execute. |
| Agent orchestration | LangGraph, CrewAI, AutoGen, n8n | Decide what agents should do next. | Orchestration chooses attempts; it does not prove authorization. | HELM decides whether the attempted action may happen. |
| MCP gateways and security | Runlayer, Lasso, Obot, MintMCP, Operant | Route, scan, filter, and secure MCP/tool traffic. | Gateways protect traffic; they do not define the final authority record. | HELM quarantines tools, issues verdicts, and records signed receipts. |
| Enterprise agent control planes | Microsoft Agent 365, Entra Agent ID, ServiceNow AI Control Tower | Register, manage, and monitor agents inside enterprise platforms. | Identity and control-plane visibility are not portable execution proof. | HELM proves whether a side effect was authorized under policy. |
| Cloud-native agent governance | AWS Bedrock AgentCore, Google Agent Gateway / Model Armor | Govern agents inside cloud-provider ecosystems. | Strong inside one cloud estate; weaker as neutral cross-platform evidence. | HELM provides a portable boundary and verifier. |
| Observability and evals | LangSmith, Braintrust, Arize, Helicone, Weave | Show traces, metrics, evals, and debugging timelines. | Logs explain what happened after the fact. | HELM decides before execution and leaves verifiable proof after. |
| AI security platforms | Zenity, Noma, WitnessAI, HiddenLayer, Lakera | Detect, scan, monitor, and protect AI systems broadly. | Broad security coverage can blur runtime authority. | HELM is narrow by design: fail-closed execution control. |
| Receipt and proof projects | PipeLab / AAR, ACTA, Signet, ZeroClaw | Create receipts, signed records, or action proof. | Receipts alone do not equal governed execution. | HELM binds receipt to policy verdict, effect, reason code, and EvidencePack. |
Bottom line: most tools help agents act. HELM decides whether the action is allowed, blocks it when it is not, and leaves proof an outside reviewer can verify.
